New Dropper Infects Victims with Revenge RAT and WSHRAT

Delaware, USA – November 18, 2019 – New malware with low detection rates installs two remote access trojans on victim machines. The dropper was detected and analyzed by the Fortinet team; at the time of publication of the report, the malware was detected by 8 antivirus engines only. Original Javascript code decodes VBScript obfuscated with character replacements which calls a Shell.Application object generating new VBS script file that downloads a new portion of obfuscated code. New script reaches the command-and-control server to save Microsoft.vbs file to the Windows temporary folder. After execution, Microsoft.vbs collects information about the infected system, disables potential warnings, adds a key to the Windows registry, and executes PowerShell commands to install Revenge RAT.

The trojan gathers system data and transfers it to C&C servers, Revenge RAT can be used to receive malicious ASM code and executed it in memory, and to manipulate the system registry with given values. In addition, the dropper installs another trojan – WSHRAT, the encrypted code of which is also contained in the Microsoft.vbs file. This trojan can be purchased by any attacker on the underground forums, and its current version has a wider range of capabilities than the Revenge RAT. WSHRAT is configured to exfiltrate information harvested from multiple browsers, act as a keylogger, and execute files.

It has not yet been established how this malware is distributed in the wild and who its main targets are. You can learn more about Revenge RAT and download the rules for its detection on Threat Detection Marketplace: https://tdm.socprime.com/att-ck/
You can also leverage the rules to detect malicious use of PowerShell commands to stop the attack in the early stages: https://tdm.socprime.com/